[原文]Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.

-
漏洞信息 (F35726)

Debian Security Advisory 637-1 - Philip Hazel announced a buffer overflow in the host_aton function in exim-tls, the SSL-enabled version of the default mail-tranport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address.

-
漏洞信息 (F35647)

iDEFENSE Security Advisory IDEF0725 - Local exploitation of a buffer overflow vulnerability in Exim 4.41 may allow execution of arbitrary commands with elevated privileges. The problem specifically exists in the host_aton function. The function fails to check the number of elements it stores in a fixed size array. The elements come from a user-controlled string and are passed into the program from a command line option.

Exim host_aton() Buffer Overflow Vulnerability
iDEFENSE Security Advisory [IDEF0725]
http://www.idefense.com/application/poi/display?type=vulnerabilities
January 07, 2005
I. BACKGROUND
Exim is a message transfer agent developed for use on Unix systems. More
information is available at:
http://www.exim.org/
II. DESCRIPTION
Local exploitation of a buffer overflow vulnerability in Exim 4.41 may
allow execution of arbitrary commands with elevated privileges.
The problem specifically exists in the host_aton function. The function
fails to check the number of elements it stores in a fixed size array.
The elements come from a user-controlled string and are passed into the
program from a command line option.
III. ANALYSIS
Exploitation of this vulnerability will give an attacker access to the
mailer uid. The exim mailer is setuid root, but drops privileges before
the vulnerable code is reached. Having the mailer uid may allow access
to sensitive information in e-mail messages or possibly further
elevation.
IV. DETECTION
Exim versions 4.40 and 4.41 have been confirmed vulnerable. The source
code for version 4.42 suggests that it is also vulnerable. It is
suspected that previous versions are vulnerable.
V. WORKAROUND
iDEFENSE is currently unaware of any effective workarounds for this
vulnerability.
VI. VENDOR RESPONSE
A patch for Exim release 4.43 which addresses this vulnerability is
available at:
http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html
The patch will be incorporated into a future Exim release (4.50).
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0021 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
12/23/2004 Initial vendor notification
12/29/2004 Initial vendor response
01/07/2005 Public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp
X. LEGAL NOTICES
Copyright (c) 2004 iDEFENSE, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

-
漏洞信息

-
漏洞描述

A remote overflow exists in Exim. Exim fails to properly check input to host_aton() resulting in a buffer overflow. With a specially crafted request of an IPv6 address with more than 8 components, an attacker can cause execution of arbitrary code resulting in a loss of integrity.

-
时间线

公开日期:
2005-01-06

发现日期:
2004-12-23

利用日期:Unknow

解决日期:Unknow

-
解决方案

Upgrade to version 4.44 or higher, as it has been reported to fix this vulnerability. In addition, Exim has released a patch for some older versions.

-
漏洞讨论

A local buffer overflow vulnerability triggered by an excessively long command line argument affects Exim. This issue is due to a failure of the application to validate the length of user-supplied data prior to attempting to store it in process buffers.

An attacker may leverage this issue to execute arbitrary code with the privileges of the affected mailer application. As the application is a setuid application, it is possible that further privilege escalation may occur.

-
漏洞利用

The following proof of concept exploits and have been made available by Rafael San Miguel Carrasco &lt;smcsoc@yahoo.es&gt; (eximExploit.tar.gz), pi3ki31ny (p_exim.c), and Tony Lockett "plugger" &lt;plug@internode.on.net&gt; (exim-exploit.c).

-
解决方案

The University of Cambridge has reportedly released a patch dealing with this issue, although this is not confirmed. Users are advised to contact the vendor for more information.

SuSE Linux has released a security summary report (SUSE-SR:2005:002) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.

ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.